Certificates Manager Question

[Monroe]

Reading the other post about rvkroots.exe and rootsupd.exe posted by heinoganda and others ... I became aware of Certificates Manager in XP. Spent a lot of time searching around on Google and have a few questions.

 

I looked in the various folders of the Certificate Manager and see many strange foreign looking items. I was reading this in an article about maybe getting rid of items that you don't know what they are. These paragraphs are from the article ... I will also post a link to the article. I was not aware of doing this manually. I have never "cleaned" anything out the Certificates Manager. Is this a necessary thing to have been doing?

 

"From an even broader perspective, you should keep your certificate stores clean in the same manner you limit the software installed on your systems. The same best practice applies to both scenarios: If you're not using it or don't know what it is, get rid of it!

 

That said, consider "clean" certificate stores as being those free of any outdated, unwanted, or unneeded certificates. Outdated or unnecessary certificates can cause a lot of problems for SysAdmins. And the maintenance needs to happen both on the CA and the application hosts. Both of the reasons mentioned above can cause your applications or websites to fail; and if your customers (be they external or internal) can't access the tools they need to do business, no one in the situation will be happy."

 

Recommendations for Cleanup

 

The recommendation for addressing the first reason is pretty straightforward: replace any certificates with a key length of 1024 bits or less with a stronger certificate ASAP. If you can't do that this month, and you have the necessary level of control over the computers that rely on those certificates, make sure those computers are not configured to automatically deploy KB2661254 when it goes live.

 

As for the second reason, we recommend reducing your certificate stores to about 180 certificates or less - just to play on the safe side. As you consider what certificates to remove, think of the following as "safe to delete":

 

    Expired certificates

    Unknown foreign certificates

    Certificates with a key length of 1024 bits or smaller

 

Article link:

 

Keep your certificate stores clean - applications could fail if you don't

 

https://thwack.solarwinds.com/community/solarwinds-community/geek-speak_tht/blog/2012/10/01/keep-your-certificate-stores-clean--applications-could-fail-if-you-dont

 

Maybe this has been discussed before but I seemed to have missed it ... I always thought the roots certificate from the MS monthly updates would be doing that ... but do all the old certificates or no longer used certificates just remain in the CM and keep building up. So the question from above ... should people be going into Certificates Manager to clean out what the above article talks about?

 

I also found this article:

 

Certificate cleanup for most personal computers

 

http://windowssecrets.com/top-story/certificate-cleanup-for-most-personal-computers/

 

Manually removing the certificates from XP systems

 

Windows XP users have the option of deleting the certificates manually or merely looking over the list of certificates installed to see whether the DigiNotar cert. is there. Here’s how:

 

Start out by clicking on the start button and typing mmc.exe. into the Run box. You’ll see a window pop up typically labeled Console1.

 

... there are more steps in the article.

 

I also found this article and someone posted a followup question:

 

I got into Certificate Manager on my XP system by going to computer Tools, Options, then certificates. I am horrified that there's all these foreign certicates on there, are they necessary and are they bad? Like TUrkey and a bunch of other places I have no idea what they are or why they're there. I've been trying all day to speed up my computer, cleaning, etc and this is the latest thing I'm finding to question.

 

Thanks for any help you can give me.

 

How can I start the Certificate Manager on Windows XP?

 

http://www.delphifaq.com/faq/windows_user/f1571.shtml

 

Question:

 

I know that Windows has a GUI interface to manage digital certificates. I have seen it on another computer but I cannot find a shortcut on my system at home, even though I have admin privileges. How can I start the Certificate Manager on Windows XP?

 

Answer:

 

The certificate manager is implemented as a Management Console Snap-in Control (MSC) file. The application can be started as certmgr.msc

 

Below is a list of other management console Snap-in controls. They are all in \Windows\System32

 

You can start them from the start menu, by clicking on 'run' and then entering the desired command, e.g. certmgr.msc.

 

... Is there a free tool around to "clean" old or junk certificates out of an XP system or it has to be done manually?

 

Just to add ... when looking in the Trusted Root Certification Authorities folder and Certificates folder ... I see many foreign entries from Brazil, India and other countries ... also many expired items from 2009, 2010 and so on.

 

monroe

Edited October 22, 2015 by monroe

[w2k4eva]

I hate it when "experts" advocate "cleaning" and get a little too delete-happy!

 

First, just because a cert is old or has expired doesn't mean it is useless. If it was used to sign something important during the time it was valid, you may need to keep it. In particular, https://support.microsoft.com/en-us/kb/293781 describes some that expired in 1999 but are still required for W2K, XP and W2K3.

 

Second, for the cases where you really do want to avoid using certain certs, such as some of those foreign CAs you never heard of, or a situation like DigiNotar, deleting them is NOT the best way to go. It not only doesn't solve the problem, but even worse, it leaves many users with a false sense of "security" that they have "dealt with it" when they really haven't. Next time you browse or do something that requires that cert, it will just get re-downloaded in the background and re-installed, similar to downloaded javascript or activex stuff. A much better way to deal with these is to move them to the untrusted store instead.

 

The mmc snapin can let you do this, you probably want to use an admin account to have the choice of "local computer" rather than "current user". It is generally a good idea to backup your existing certs before making changes. Expand the relevant plus signs in the tree pane and click the "Trusted Root Certification Authorities" (or whichever other list) on the left pane then either "Registry" or "Third-Party", right-click and select All Tasks->Export Store, save the file somewhere. Then do the other location.

 

Look through the list of certs in the right pane to find the one you want to un-trust and highlight it, right-click and select "cut". Then highlight Certificates under Untrusted Certificates-Registry from the left pane (the list that appears in the right pane should include DigiNotar and similar entries already un-trusted), right click, Paste.

 

Third, I am a bit dubious of phil3's blanket claim that problems will result from having more than 200 certs in the trusted root store. I have never seen a system with so few and it does not seem to cause problems! The system I am using to type this post has 422 and there is no trouble searching for any of them. (At least for client skus - not many home users run a SSL/TLS server. If you do then KB933430 and/or KB2801679 may be interesting. Microsoft does not say the issue is a limit of 200 certs but rather that the list being sent by the server needs to fit within 16kb.)

 

In any case his concern about KB2661254 is ancient history, that update was issued on Aug 2012 and reissued on 9 Oct 2012, so those old 1024bit certs should have long since been flushed out and replaced by now. Even back then it was only a concern for those in corporate environments that were depending on internally used certs that were not going to be changed out in a timely manner, not really an issue for home users.

 

Now as to whether anyone needs to manually cleanup certificate stores...  in theory we should have been able to rely on Microsoft to be cancelling those bad certs through the automatic update system. But as a practical matter it can take way too long for these things to get discovered, and afterward even longer before an update was generated and released, then for the next patch tuesday to roll around, and still longer for users to eventually apply those patches, which is probably why Vista and up default to using the automatic update-on-the-fly method. But now that W2K3 support is ended, the only reason Microsoft has left to generate those updates is for use in disconnected environments that can't use the newer system... but since disconnected networks are considered to be less at risk, those updates might now be generated less often than when they were being used by the older no longer supported OSs. So we may see more situations in the future where we hear about known bad certs but the relevant update is not immediately forthcoming from Microsoft. In those cases manual cleanouts (preferably, un-trusting rather than deleting) could be useful.

 

Even worse, Microsoft is not likely to cancel many of the foreign government certs unless there is evidence of abuse, and maybe not even then, if the perps appear to be part of some state agency. But that doesn't mean we all want the government of Pakistan to decide what websites we here in the US will trust by default.

 

I'd be really skeptical of any tool that claims to clean them out for you. The basic problem is that someone else's idea of what is an undesireable cert may not match your needs - can you really trust someone else to decide for you what is trustworthy? This is one area I would not want to outsource my thinking!

 

[Monroe]

w2k4eva ... thanks for the reply and all the information on certificates, very good reading. I never knew too much about them, since MS would supply updates every so often.

 

A few days ago I decided to get more information ... when I found out how to locate them and I saw so many foreign certs and expired certs ... I was wondering if they were safe to still have around.

 

After I posted that earlier post I found someone also saying what you said ... expired certs can still be needed.

 

I also found this article ...

 

Why do we not trust an SSL certificate that expired recently?

 

http://security.stackexchange.com/questions/31463/why-do-we-not-trust-an-ssl-certificate-that-expired-recently

 

So you cannot trust an expired certificate because you cannot check its revocation status. It might have been revoked months ago, and you would not know it.

 

A good question. The simplest answer is that having an expiration date ensures that you have an "audit" every so often. If there were no expiration date, and someone stopped using a certificate (and protecting the private key), no one would ever know. However, by having an expiration date you ensure that the user goes back to the company that sold them the SSL certificate and pays them lots more money err, I mean, has an audit and is re-validated as the person or service they claim to be (I'll try to leave rants about the current internet security model out of this question).

 

The problem then becomes: If you're going to have a grace period in which you ignore expired certificates, how long does it last? A day? A week? A month? At some point you simply have to stop trusting the certificate; if you make that point a day after the expiration, you can still ask yourself: "What could have happened between today and yesterday?" And you fall into a loop.

 

Essentially, you're right: People don't magically stop protecting their private keys as soon as the expiration date hits (or they may have stopped protecting them a long time ago and no one knows because they didn't revoke them and they haven't expired yet). The expiration date says nothing about the security of the certificate, but if you don't have a cut off you'll never know that a certificate may be forgotten about whereas with one you at least know that much.

 

... well I will probably leave everything as is for now ... I need to know more about certificates. I also do not use Internet Explorer very often. I have Pale Moon (Atom-WinXP) installed and there are frequent updates ... so the certificates in that browser would be more up to date ... if I understand about browsers and certificates correctly.

 

monroe

Edited October 23, 2015 by monroe

[w2k4eva]

Essentially, you're right: People don't magically stop protecting their private keys as soon as the expiration date hits (or they may have stopped protecting them a long time ago and no one knows because they didn't revoke them and they haven't expired yet). The expiration date says nothing about the security of the certificate, but if you don't have a cut off you'll never know that a certificate may be forgotten about whereas with one you at least know that much.

 

For me what it comes down to is this. Website operators know that users will see those warnings if they don't renew their certs on time, and reputable sites want to keep their reputation for integrity. If they are cutting corners on renewals despite the public embarrassment of being caught at it in this visible area, what else are they not being diligent about that we cannot see, like what they do with their private keys or our credit card numbers? It does raise the question of whether sloppy practice in one area spills over into sloppiness elsewhere and whether they really are serious about protecting the security of their customers - do we really want to do business with such careless firms?

 

 

... well I will probably leave everything as is for now ... I need to know more about certificates. I also do not use Internet Explorer very often. I have Pale Moon (Atom-WinXP) installed and there are frequent updates ... so the certificates in that browser would be more up to date ... if I understand about browsers and certificates correctly.

 

Using PaleMoon will cover your browsing by using its own cert store rather than the one managed by Windows. But it will not cover the other uses of certificates - for instance secure email, secure FTP, codesigning, etc. You might be using webmail rather than Outlook Express, or Thunderbird which also uses its own cert store. Maybe you don't use FTP at all whether secured or not. But you will likely still install programs and/or updates or device drivers, so codesigning will be important for those things. And that means needing to keep the cert revocation list up to date for those other uses.

 

[Monroe]

w2k4eva ... again thanks for more information, for sure I know a lot more about root certificates than I did one week ago.

 

Yesterday I found out about the nssckbi.dll in FFox, Pale Moon and K-Meleon. I have an older version of KM (v1.8.24) from last year and I just downloaded K-Meleon 75.1 (portable) and transfered that dll to my older KM v1.8.24 version ... all seems to be working well at various web sites ... when I tried the nssckbi.dll from the latest version of Pale Moon 25.7.3 into K-Meleon many web pages did not work ... many errors. I would like to keep using the older KM version but later today I am going to work with the newer K-Meleon 75.1 version also.

 

At this time last week I did not know that many browsers had their own root certificates included ... I was under the impression that the MS update was also for other browsers ... which it is for some but not for others.

 

Very good information provided by everybody ...

 

monroe

 

[Monroe]

Speaking of certificates ... this just came to my attention a few minutes ago.

 

"Certificate authorities said they will respond by no longer issuing SHA1 certificates at midnight, January 1 2016, opting instead for SHA2 certificates. SHA2 is a significantly stronger algorithm that will last for many years to come. But there's a problem. A small but sizable portion of the internet's users don't have browsers or devices that are compatible with SHA2."

 

As sites move to SHA2 encryption, millions face HTTPS lock-out

 

"We're about to leave a whole chunk of the internet in the past," as millions of people remain dependent on old, insecure, but widely-used encryption.

 

October 23, 2015

 

http://www.zdnet.com/article/as-sha1-winds-down-sha2-leap-will-leave-millions-stranded/?tag=nl.e589&s_cid=e589&ttag=e589&ftag=TREc64629f

 

In 2016, tens of millions of people around the world will face trouble accessing some of the most common encrypted websites like Facebook, Google and Gmail, Twitter, and Microsoft sites.

 

Why? Because their browser or device will be unable to read the new, more secure certificates.

 

SHA1, the cryptographic hashing algorithm that's been at the heart of the web's security for a decade, will be retired in a little over a year. Some say it could be cracked by the end of the year, essentially making it useless and weakening security for millions of users.

 

Certificate authorities said they will respond by no longer issuing SHA1 certificates at midnight, January 1 2016, opting instead for SHA2 certificates. SHA2 is a significantly stronger algorithm that will last for many years to come. But there's a problem. A small but sizable portion of the internet's users don't have browsers or devices that are compatible with SHA2.

 

"We're about to leave a whole chunk of the internet in the past," said CloudFlare chief executive Matthew Prince, during a conversation in our New York newsroom earlier this month.

 

'One million websites' running risky crypto

 

Encryption isn't important just for protecting your online banking, email accounts, and social networks. That green lit-up bar or padlock in your browser also verifies the integrity of a site, offering a strong level of assurance that the page has not been modified in any way.

More sites nowadays are adopting encryption because it costs little to nothing to implement.

In an age of daily data breaches, hacks, and mass surveillance, adopting a strong SHA2 algorithm is more important than ever. But browser makers and website owners alike thought they had more time.

Prominent security researchers thought SHA1 would last until about 2018, but now they think the SHA1 algorithm may be broken by the end of 2015.

 

The good news is that most website are already using the stronger SHA2 certificates. About 24 percent of SSL-encrypted websites still use SHA1 -- or, about 1 million websites.

 

That figure is declining every month, so much so that by the end of the year it could fall as low as 10 percent of all websites, meaning the vast majority of encrypted websites will be safe from SHA1 collision attacks.

 

For most people, there's nothing to worry about. The majority are already using the latest Chrome or Firefox browser, the latest operating system, or the newest smartphone with the latest software, which are compatible with the old SHA1-hashed websites and the newer SHA2-hashed websites.

 

But many, particularly those in developing nations, who are running older software, devices, and even "dumbphones," the candy-bar cellphones that have basic mobile internet, will face a brick wall, because their devices aren't up-to-date enough to even know what SHA2 is.

 

Mozilla's 'one million downloads' mistake

 

There's no way to tell exactly how many will be affected until it happens, in part because there are no concrete figures on how many people are running old or unsupported browsers or devices. Ivan Ristic, head of of SSL Labs at Qualys, said in an email that users of Windows XP SP2 and earlier, and Android 2.2 and earlier, do not support SHA2 certificates.

 

... it's a long article ... more at the link.

 

monroe

Edited October 24, 2015 by monroe

[Monroe]

I found some additional information regarding Win XP and SHA-2 ... the article says that Win XP SP3 should be OK, if I understand this. Anything lower than SP3 will not work ...

 

"Support for SHA-2 has improved over the last few years. Most browsers, platforms, mail clients, and mobile devices already support SHA-2. However, some older operating systems such as Windows XP pre-SP3 do not support SHA-2 encryption."

 

SHA-2 Compatibility

 

Software and Hardware that Support SHA-2

 

https://www.digicert.com/sha-2-compatibility.htm

 

Support for SHA-2 has improved over the last few years. Most browsers, platforms, mail clients, and mobile devices already support SHA-2. However, some older operating systems such as Windows XP pre-SP3 do not support SHA-2 encryption.

 

Many organizations will be able to convert to SHA-2 without running into user experience issues, and many may want to encourage users running older, less secure systems to upgrade.

 

This page lists the minimum version required for SHA-2 as well as some exceptions.

 

.... there is a list.